[Snort-users] Snort SACK Option DoS clarifications

Martin Roesch roesch at ...1935...
Mon Sep 12 19:27:18 EDT 2005

Hash: SHA1

FYI, here are a few points about this issue.

1) It's a DoS if you're running in verbose mode.  If you're running  
Snort as a NIDS you shouldn't be running in verbose mode as it will  
torpedo your performance, this has been known for over 6 years now.   
If you're running in sniffer mode and someone DoS's you, go grab  
log.c from CVS, recompile and you're fine.

2) This is a NULL pointer dereference, so it won't turn into more  
than a DoS.

3) The guy who released the advisory for this relatively minor issue  
decided to do so without coordination with the Snort project or  
Sourcefire, even though we asked him to wait so we could coordinate.   
Rolling out a Snort release is a complex series of events and we have  
several other bug fixes that we're putting together for 2.4.1 (check  
out CVS if you want to see the fixes) plus docs and so on that need  
to go in there.

Fact of the matter is that this guy decided that responsible  
disclosure wasn't necessary in this case and then decided to make a  
big deal out of it (high risk my ass).  Whatever.  We'll get 2.4.1  
out as soon as we can and that'll be that.

If anyone has any questions or comments feel free to drop me a mail.


- --
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Discover.  Determine.  Defend.
roesch at ...1935... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org

Version: GnuPG v1.4.1 (Darwin)


More information about the Snort-users mailing list